SMT Solvers for Software Security George Nosenko, Security researcher at Digital Security.
-
Upload
frank-mccormick -
Category
Documents
-
view
220 -
download
0
Transcript of SMT Solvers for Software Security George Nosenko, Security researcher at Digital Security.
SMT Solvers for Software Security
George Nosenko,
Security researcher at Digital Security
© 2002—2013, Digital Security
#whoami
SMT Solvers for Software Security
• Member of DSecRG.
• System Developer
• Reverse Engineer
• Security Researcher
© 2002—2013, Digital Security
What is a SMT Solver?
SMT Solvers in very simple terms
Just like the first time using a SMT constraint solver
© 2002—2013, Digital Security
What is a SMT Solver?
Solver is a program
You ask a question “What is the meaning of life?”
Solver tries to answer “42”
SMT Solvers in very simple terms
© 2002—2013, Digital Security
How can I ask a question?
Question is a logical formulab+2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
SMT-LIB: Language for expressing formulas http://smtlib.org/
All solvers understand this language
SMT Solvers in very simple terms
© 2002—2013, Digital Security
What solver should I choose?
There are many SMT-solvers (over 20)CVC3, CVC4, STP, Alt-Ergo, Yices, Z3, etc
Z3 is my choice Efficient SMT solver Open Source Project: http://z3.codeplex.com Python, C/C++, .NET binding Available online Support Windows & Linux
SMT Solvers in very simple terms
© 2002—2013, Digital Security
SAT or not SAT? Ask a question.
structure of formula declaration precondition postcondition
answer sat, unsat, unknown satisfiability validity
model
SMT Solvers in very simple terms
http://rise4fun.com/Z3/pLpMc
(declare-const work Int)(declare-const sleep Int)(declare-const fun Int)
(assert (>= work 40))(assert (>= sleep 42))(assert (>= fun work))
(assert (= (+ work (+ sleep fun)) 168))
(check-sat)(get-model)
sat (model (sleep: 42, fun: 63, work 63)
Taint Nobody Got Time for Crash
© 2002—2013, Digital Security
Properties of SMT solvers
Mathematical precision
Expressive power
Data model
Efficient implementation
Support Bit-vector & Array
SMT Solvers in very simple terms
© 2002—2013, Digital Security
SMT Solvers for Software Security
SMT Solvers for Software Security
© 2002—2013, Digital Security
Applications
Bug Hunting Fuzzing (whitebox or blackbox) Program Verification & Analysis
Exploit Generation PoC, AEG, APEG
Automate generate payload
Protection Analysis Obfuscation Crypto Analysis
Malware Analysis
SMT Solvers for Software Security
© 2002—2013, Digital Security
What’s the point?
SMT Solvers for Software Security
Idea: convert portions of code into logical formulas, and use SMT solver to prove properties about them
add eax, ebxxor ebx, ebxsub ecx, 0x123setz bladd eax, ebx
Is this snippet equivalent to “add eax, ebx”?
What value must EAX have at the beginning of this snippet in order for EAX to be 0x12345678 after the snippet executes?
sub bl, blmovzx ebx, bladd ebx, 0xbbbbbbbbadd eax, ebx
http://recon.cx/2012/schedule/attachments/52_semantics-based-methods.pdf
Taint Nobody Got Time for Crash
© 2002—2013, Digital Security
BV Operations in SMT-LIB 2.0
SMT Solvers for Software Security
=/bvcomp
distinct
ite
bvand
bvor
bvxor
bvnot
bvnand
bvnor
bvxnor
bvneg
concatextractbvshlbvlshrbvashrrepeatzero_extendsign_extendrotate_leftrotate_right
bvadd
bvmul
bvudiv
bvurem
bvsub
bvsdiv
bvsrem
bvsmod
bvshl
bvlshr
bvashr
bvult
bvule
bvugt
bvuge
bvslt
bvsle
bvsgt
bvsge
Slides - SMT Workshop 2013
© 2002—2013, Digital Security
Array Operations in SMT-LIB 2.0: select-store axioms
SMT Solvers for Software Security
1. Expression (select a i) returns the value stored at position i of the array a;
2. And (store a i v) returns a new array identical to a, but on position i it contains the value v.
(declare-const x Int)(declare-const y Int)(declare-const a1 (Array Int Int))
(assert (= (select a1 x) x))(assert (= (store a1 x y) a1))
(check-sat)
© 2002—2013, Digital Security
Binary Analysis Platform: http://bap.ece.cmu.edu/
SMT Solvers for Software Security
addr 0x0 @asm "add %rax,%rbx" label pc_0x0 T_t1:u64 = R_RBX:u64 T_t2:u64 = R_RAX:u64 R_RBX:u64 = R_RBX:u64 + T_t2:u64 R_CF:bool = R_RBX:u64 < T_t1:u64 R_OF:bool = high:bool((T_t1:u64 ^ ~T_t2:u64) & (T_t1:u64 ^ R_RBX:u64)) R_AF:bool = 0x10:u64 == (0x10:u64 & (R_RBX:u64 ^ T_t1:u64^T_t2:u64)) R_PF:bool =
~low:bool(let T_acc:u64 := R_RBX:u64 >> 4:u64 ^ R_RBX:u64 in let T_acc:u64 := T_acc:u64 >> 2:u64 ^ T_acc:u64 in T_acc:u64 >> 1:u64 ^ T_acc:u64)
R_SF:bool = high:bool(R_RBX:u64) R_ZF:bool = 0:u64 == R_RBX:u64
BIL code for add %rax, %rbx
© 2002—2013, Digital Security
Bug Hunting
SMT Solvers for Software Security
© 2002—2013, Digital Security
Vulnerability related with Integer
CWE-190,191,192,194,196
May cause: Bypass sanity check Buffer Overflow Dangling Pointer Use after free Application specific
Bug Hunting
© 2002—2013, Digital Security
Integer Overflow in Linux Kernel. CVE-2013-2596
Bug Hunting
© 2002—2013, Digital Security
Integer Overflow in Linux Kernel. CVE-2013-2596
Bug Hunting
static int fb_mmap(struct file *file, struct vm_area_struct * vma){ if (!info) return -ENODEV;... off = vma->vm_pgoff << PAGE_SHIFT; fb = info->fbops; if (!fb) return -ENODEV;... /* frame buffer memory */ start = info->fix.smem_start; len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len); if (off >= len) { /* memory mapped io */ off -= len;... start = info->fix.mmio_start; len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len); } mutex_unlock(&info->mm_lock); start &= PAGE_MASK; if ((vma->vm_end - vma->vm_start + off) > len) return -EINVAL;... fb_pgprotect(file, vma, off); if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, vma->vm_end - vma->vm_start, vma->vm_page_prot)) return -EAGAIN; return 0;}
© 2002—2013, Digital Security
How does Motochopper work?
1728 open("/dev/graphics/fb0", O_RDWR) = 6...1728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x400f2000...1728 munmap(0x4015b000, 9433088) = 01728 mmap2(NULL, 9437184, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x4015b0001728 munmap(0x4015b000, 9437184) = 01728 mmap2(NULL, 9441280, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = -1 EINVAL (Invalidargument)
1728 mmap2(NULL, 2415919104, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x70900) = -1 ENOMEM1728 mmap2(NULL, 2231369728, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7b900) = -1 ENOMEM(Out of memory)1728 mmap2(NULL, 2214592512, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7c900) = -1 ENOMEM(Out of memory)...(Out of memory)1728 mmap2(NULL, 2113929216, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x82900) = 0x4015b000
Bug Hunting
NAME mmap2 - map files or devices into memory
#include <sys/mman.h>
void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
© 2002—2013, Digital Security
Integer Overflow in Linux Kernel. CVE-2013-2596
Bug Hunting
© 2002—2013, Digital Security
Integer Overflow in OpenSSH. CVE-2002-0639
Bug Hunting
© 2002—2013, Digital Security
Integer Overflow in OpenSSH. CVE-2002-0639
Bug Hunting
input_userauth_info_response(){
...u_int nresp;...nresp = packet_get_int();
if (nresp > 0) {response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++)response[i] = packet_get_string(NULL);}packet_check_eom();}
© 2002—2013, Digital Security
Integer Overflow in OpenSSH. CVE-2002-0639
Bug Hunting
(declare-const sizeof (_ BitVec 32))
(declare-const nresp (_ BitVec 32))
(declare-const mult (_ BitVec 32))
(assert ( = sizeof (_ bv4 32))) ; sizeof (char*) = 4
(assert ( = mult (bvmul nresp sizeof))) ; nresp*sizeof
(assert ( bvugt nresp (_ bv0 32) )) ; nresp > 0
(assert ( bvult mult nresp)) ; nresp*sizeof < nresp
(assert ( = mult (_ bv256 32))) ; nresp*sizeof = 256
(check-sat)
(get-model)
© 2002—2013, Digital Security
Verification & Static analyze with SMT
Bug Hunting
Single collaborative framework
It’s not heuristic bug-finding
It allows user to manipulate
Functional specification
Prove that source code satisfies specification Expands with plug-ins
ACSL is a behavioral specification language
© 2002—2013, Digital Security
Jessie: verification tools for C programs
Jessie is a plug-in for the Frama-C
Functional Checking
Safety Checking Memory Safety Integer Overflow Checking Termination
Bug Hunting
© 2002—2013, Digital Security
Jessie: Integer Overflow Safety
Bug Hunting
#pragma JessieTerminationPolicy(user) //@ requires n >= 0 && \valid_range(t,0,n−1); int binary_search(long t[], int n, long v) { int l = 0, u = n-1; //@ loop invariant 0 <= l && u <= n−1; while (l <= u) { int m = l + (u - l) / 2; //int m = (l + u) / 2; if (t[m] < v) l = m + 1; else if (t[m] > v) u = m - 1; else return m; } return -1; }
> frama-c -jessie binary-search.c
© 2002—2013, Digital Security
Immunity Debugger & SMT: Infrastructure
Bug Hunting
SequenceAnalyzer – Models x86 as operations over a set of SMT primitives.
Solver – Ctypes interface to the CVC3 SMT solver API. Supports a variety of theories including quantifier free, bit-vector arithmetic, linear arithmetic etc.
CodeGraph/PathGenerator – Purely static CFG building and path generation.
PathWalker – SMT based path traversal. Each conditional jump is checked for feasibility and the path discarded if not SAT.
BugChecker – Subclasses provide the check_ins method which will be passed the SMT context representing the current path.
© 2002—2013, Digital Security
Immunity Debugger & SMT: !find_int_overwlow.py
Bug Hunting
© 2002—2013, Digital Security
SMT in protection analysis
PROTECTION ANALYSIS
© 2002—2013, Digital Security
Using SMT to defeat simple hashing algorithms
SMT in protection analysis
def round_hash(a, b, c, d): out = [ ]
for i, n in enumerate((a, b, c, d)): nn = 0 for j in range(32): nn |= (rotl(n, SCRAMBLE_TABLE[(i << 2)+j]) & 1) << j nn ^= XOR_TABLE[i] out.append(nn)
out[0] = rotl(out[0], ROT_TABLE[0]) out[1] = rotl(out[1], ROT_TABLE[1]) out[2] = rotl(out[2], ROT_TABLE[2]) out[3] = rotl(out[2], ROT_TABLE[3]) return out
a ^= cb ^= dfor i in range(128):
a, b, c, d = round_hash(a, b, c, d)
© 2002—2013, Digital Security
Automated KeyGen Generation. Kao’s Toy Project
SMT in protection analysis
© 2002—2013, Digital Security
Automated KeyGen Generation. Kao’s Toy Project
SMT in protection analysis
Lift the checking algorithm to BIL
./toil -binrange ~/toyproject.exe 0x401105 0x401111 -o checkUnlockCode.il
Convert BIL to single static assignment form (SSA), unroll loop
./iltrans -il checkUnlockCode.il -to-ssa -simp-ssa -to-cfg -unroll 31 -rm-cycles \-rm-indirect-ast -to-ast -normalize-mem -flatten-mem -pp-ast checkUnlockUnroll.il
egrep -v '^cjmp.*$' checkUnlockUnroll.il > checkUnlockUnrollOpt.il
Convert BIL to SMT-formula
./topredicate -il checkUnlockUnrollOpt.il -noopt -solver z3 -stp-out checkLoop.smt
line 18: assert --> define-fun alg () (Array (_ BitVec 32) (_ BitVec 8))line 921: false --> ?mem_array_83_670
© 2002—2013, Digital Security
Create precondition and postcondition
SMT in protection analysis
© 2002—2013, Digital Security
Automatic Exploit Generation
AEG
Automatically craft an input that redirects control flow Loosely defined as “Given a program and a vulnerability, automatically craft an input that redirects control flow to malicious code”
Automated Payload Creation
© 2002—2013, Digital Security
Automatically craft an input that hijacks control flow
AEG
Get the trace to vulnerable code
Convert the trace into set of constraintsFFreachreach
Generate the set of conditions that make code exploitable FFexploit = exploit = CCval val UU CCaddraddr
Solve (F(Freach reach UU FFexploitexploit))
SMT-solver defines required input
© 2002—2013, Digital Security
Automatically craft an input that hijacks control flow
AEG
Freach = { t0= eax + ebx, zf ==1 }
Cval = { eax = 0xdeadbeef }
Caddr ={ t1= ebp + 4, t1 = ebp +ecx }
Fexploit = Cval U Caddr
© 2002—2013, Digital Security
Automatically craft an input that hijacks control flow
AEG
http://rise4fun.com/Z3/j2Y
Freach = {t0 = eax + ebx, zf == 1}
Cval = { eax = 0xdeadbeef }
Caddr ={t1 = ebp + 4, t1 = ebp + ecx}
Fexploit = Cval U Caddr
Input ={eax = 0xdeadbeef,ebx = 0x21524111, ecx = 4}
(declare-const t0 (_ BitVec 32))(declare-const t1 (_ BitVec 32))
(declare-const eax (_ BitVec 32))(declare-const ebx (_ BitVec 32))(declare-const ecx (_ BitVec 32))(declare-const ebp (_ BitVec 32))
; Freach = {zf = 1, t0 = eax + ebx}(assert (= t0 (bvadd eax ebx))) ; t0 = eax + ebx(assert (= t0 #x00000000)) ; zf = 1
; Cval = { eax = 0xDEADBEEF }(assert (= eax #xdeadbeef)) ; eax = 0xDEADBEEF
; Caddr = { t1 = ebp + 4, t1 = ebp + ecx}(assert (and (= t1 (bvadd ebp #x00000004)) ; t1 = ebp + 4 (= t1 (bvadd ebp ecx))) ; t2 = ebp + ecx)
sat (model (define-fun ecx () (_ BitVec 32) #x00000004) (define-fun eax () (_ BitVec 32) #xdeadbeef) (define-fun ebx () (_ BitVec 32) #x21524111) )
© 2002—2013, Digital Security
Automated Payload Creation
Automate Generation Payload
Data Execution Prevention (DEP)
Windows 8 ROP mitigation enforces policies on who/where can call VirtualAlloc() or VirtualProtect() to enable memory executable at run-time
IOS already totally forbid code injection: Writable pages have NX permission & only signed pages are executable
Return Oriented Programming
fun at first time, then hurt
hundreds and thousands of ROP-gadgets
“bad characters"
find a suitable gadget can be difficult
research efforts aimed at solving the problem of automatic generation ROP-chains
© 2002—2013, Digital Security
An interesting example from 0verckl0ck
Given:
we can write into eax, but only ASCII printable char
we have ROP-gadgets like these:
add eax, 0xc9f4458b; add eax, 0xdeadbeef;add eax, 0x0fcf; add eax, 0x13b2;add eax, 0x1337; add eax, 0x42;Goal:
make eax = 0xb00bdead
determine the initial value eax
find the minimum sequence of calls gadgets
Automate Generation Payload
© 2002—2013, Digital Security
An interesting example from 0verckl0ck
source: http://rise4fun.com/Z3Py/OrzPassert( init_eax + g1*0xc9f4458b +
g2*0xdeadbeef + g3*0x0fcf + g4*0x13b2 +g5*0x1337 + g6*0x42 = 0xb00bdead)
assert(ascii_printable( init_eax ) )sum (g1,g2,g3,g4,g5,g6) --> min
answer:0x522e707c + 3*0xc9f4458b + 8*0x13b2 = 0xb00bdead
Automate Generation Payload
© 2002—2013, Digital Security
Finding gadgets with specific samntics
Automate Generation Payload
http://www.immunitysec.com/downloads/sean_ruxcon2010.pdf
© 2002—2013, Digital Security
Immunity Debugger: !find_gadget
Automate Generation Payload
This script looks for a sequence that satisfies the constraints we specify
© 2002—2013, Digital Security
OptiROP
Automate Generation Payload
© 2002—2013, Digital Security
OptiROP
Automate Generation Payload
© 2002—2013, Digital Security
ROPC: https://github.com/pakt/ropc
Automate Generation Payload
© 2002—2013, Digital Security
ROPC : Type of gadgets that ROPC find &use
Automate Generation Payload
Name Input Parameters Semantic Definition
NopG _ _ nop
LoadConstG OutReg, Value _ OutReg Value
MoveRegG InReg, OutReg _ OutReg InReg
ArithmeticG InReg1, InReg2, OutReg op OutReg <- InReg1 op InReg2
StoreMemG AddrReg, InReg # Bytes, Offset M[AddrReg+Offset]<-InReg
LoadMemReg AddrReg, OutReg # Bytes, Offset OutRegM[AddrReg+Offset]
ArithmeticStoreG InReg, AddrReg # Bytes, Offset, op M[AddrReg+Offset] op InReg
ArithmeticLoadG OutReg, AddrReg# Bytes, Offset, op
OutReg op M[AddrReg+Offset
© 2002—2013, Digital Security
ROPC-LLVM: https://github.com/programa-stic/ropc-llvm
Automate Generation Payload
© 2002—2013, Digital Security
Questions ?
SMT Solvers for Software Security